General
-
Target
Remittance Advise.doc
-
Size
1.0MB
-
Sample
210727-fhfcq58qqa
-
MD5
ee9778dda2890792b7d5af77946a9436
-
SHA1
bdfec5e23d7ca0a12ca5347c644ea80fe21b2e00
-
SHA256
787ea1dbb0b03d6454f97c437513294260d4300e0d787745bda191318add10b7
-
SHA512
87a433e4e4b03a420f0a54a2894f8abb32a8b561a1be06c9a0cb673eb23357fb68f25e2d0cfe9314507b4d71db9293a12d83884f44a8680ead6fe991e56a71ed
Static task
static1
Behavioral task
behavioral1
Sample
Remittance Advise.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Remittance Advise.doc
Resource
win10v20210410
Malware Config
Extracted
httP://136.144.41.61/ordergoz.exe
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.wickwirewerehouse.com - Port:
587 - Username:
blessingss@wickwirewerehouse.com - Password:
$BnDQ$@u%3
Targets
-
-
Target
Remittance Advise.doc
-
Size
1.0MB
-
MD5
ee9778dda2890792b7d5af77946a9436
-
SHA1
bdfec5e23d7ca0a12ca5347c644ea80fe21b2e00
-
SHA256
787ea1dbb0b03d6454f97c437513294260d4300e0d787745bda191318add10b7
-
SHA512
87a433e4e4b03a420f0a54a2894f8abb32a8b561a1be06c9a0cb673eb23357fb68f25e2d0cfe9314507b4d71db9293a12d83884f44a8680ead6fe991e56a71ed
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-